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1      INTRODUCTION  AND  PRELIMINARIES 

This  paper  extends  earlier  work  (with  the  same  general  title)  on  decision  pro- 
cedures for  various  quantified  and  unquantified  languages  of  set  theory  (see 
[Can]  for  an  extensive  bibliography  on  this  subject).  We  consider  the  language 
C  built  using  the  elementary  Boolean  connectives  (conjunction,  disjunction, 
implication,  negation)  from  set-theoretic  clauses  of  the  forms 

x  =  yl)z  ,  x  =  y\z  ,  x  e  y  ,  d  =  Df , 
PAIRJN(x,2/,/),INV(/,p),SINGLEVALUED(/)  (1) 

The  intended  meaning  of  the  operator  D  and  predicates  PAIRJN,  INV, 
SINGLEVALUED  is  the  following:  write  the  subset  of/  consisting  of  all  ordered 


pairs  in  /  as  pairs(/),  so  that  each  p  £  pairs(/)  has  the  form  p  =  [x,  y]  (below 
we  will  be  more  specific  on  the  set  representation  of  [x,j/]).  The  term  Df, 
designates  the  domain  of/,  i.e.,  the  set  {x  :  [x,y]  6  pairs(/),for  some  y}.  The 
predicate  PAIRJN(x,  y,  /)  is  true  if  and  only  if  [ar,  t/]  €  pairs(/).  Given  sets  / 
and  g,  we  assume  that  INV(/, g)  holds  if  and  only  if  pairs(/)  =  ((pairs(<7))~  , 
i.e.  for  each  pair  [p,  q],  [p,q]  belongs  to  /  if  and  only  if  the  inverse  pair  [q,p] 
belongs  to  g.  Notice  that  according  to  our  definition,  each  /  admits  an  entire 
class  of  inverses,  e.g.  (pairs(/))~  LiS,  as  S  ranges  over  the  sets  which  contain  no 
pairs.  Concerning  the  predicate  SINGLEVALUED(/),  we  assume  that  it  holds 
whenever  the  relation  pair(/)  is  singlevalued,  i.e.  /  contains  no  two  distinct 
pairs  of  the  form  [5,  t]  and  [s,  t'].  Finally,  the  intended  meaning  of  the  standard 
operators  and  predicates  appearing  in  (1)  is  the  usual  one.  Hence  a  model  M 
of  a  set  P  of  sentences  of  £  is  a  function  which  maps  every  variable  x  appearing 
in  P  into  an  "ordinary"  set  Mx  (of  the  standard  universe  of  naive  set  theory). 
(See  [CFS]  for  a  somewhat  more  extended  discussion  of  this  point.)  The  ordered 
pair  notion  can  of  course  be  represented  by  any  one  of  several  more  primitive 
set-theoretic  constructions.  To  complete  all  details  of  the  proof  which  is  to 
follow,  we  need  to  choose  one  such,  so  for  specificity  we  will  define  the  ordered 
pair  notion  by 

[*,V]  =  {{0,{*}>,  {2,  {»}}},  (2) 

where  the  integers  0  and  2  have  definitions  given  by  von  Neumann,  namely 
0  =  0,  2  =  {0,{0}}-  Hence  a  set  is  an  ordered  pair  if  it  has  exactly  two 
elements  eo,  e2,  each  of  which  is  a  pair.  Exactly  one  of  these,  namely  e0  (resp. 
ei)  must  have  0  (resp.  2)  as  an  element;  and  the  other  element  of  each  must  be  a 
singleton.  It  is  then  plain  that  the  first  component  x  and  the  second  component 
y  of  [1,1/]  can  be  recovered  as  the  elements  of  these  uniquely  characterized 
singletons. 

[FOS]  solves  the  satisfiability  problem  for  the  three-sorted  language  which 
consists  of  set  operators  U,\,  set  predicates  =,G,  cardinality  operators  #,  +, 
cardinality  predicates  =,<,<,  function  operators  D  (domain),  R  (range),  /[/] 
(where  /  is  a  function  variable  and  t  is  a  set  term),  and  function  predicates 
singlevalued(/),  one-one(/).  Notice  that  in  the  above  language  constructs  like 
h  =  h U /s,  h  =  h \  h,  x  €  fx,  fx  e  /2,  PAIRJN(i,  y,  /),  etc.,  where  /j,/2,  h 
are  function  variables  and  x,y  are  set  variables,  are  forbidden. 

This  paper  tackles  the  satisfiability  problem  for  the  one-sorted  language  £, 
which  properly  extends  the  purely  set- theoretical  part  (i.e.  with  no  cardinality 
constructs)  of  the  theory  considered  in  [FOS].  In  particular  we  will  exhibit  a 
finite  and  uniform  procedure  which  decides  for  any  given  formula  P  of  C  whether 
P  has  a  model  or  not. 


By  way  of  disjunctive  normal  form,  it  is  immediate  to  see  that  the  satis- 
fiability problem  for  C  reduces  to  the  satisfiability  problem  for  the  subfamily 
of  conjunctions  of  atoms  or  negation  of  atoms  of  type  (1).  In  fact  we  can 
limit  ourselves  without  loss  of  generality  to  considering  simple  conjunctions  of 
positive  clauses  of  the  form  (1).  To  this  purpose,  observe  that  q0  =  qo  \  qo 
is  equivalent  to  qo  —  0,  x  C  y  is  equivalent  to  x  \  y  =  0,  and  x  —  y  PI  z  is 
equivalent  to  x  =  y\(y\  z).  Therefore,  the  literal  x  /  i,  where  x  is  a  variable 
and  t  denotes  one  of  the  terms  y  U  z,  y  \  z,  or  Df,  plainly  equisatisfiable  to 
u  £  w  A  w  C  (x  \  t)  U  (t  \  x),  with  u  and  w  newly  introduced  variables,  is 
equisatisfiable  to  a  conjunction  of  positive  atoms  of  the  form  (1).  Also,  x  £  y 
is  equisatisfiable  to  x  G  w  A  w  l~l  y  =  0.  Likewise,  -i  PAIRJN(x,t/,/)  is 
equisatisfiable  to  PAIRJN(x,t/,0)  A  g(~\f  =  9.  Moreover,  -i  INV(/,p)  is  equi- 
satisfiable to  (PAIRJN(z,2/,  /)  A  ^  PAIRJN(t/,t,^))V(^  PAIR  JN(z,  j,,/)  A 
PAIRJN(j/,x,5)).  Finally,  it  is  plain  that  -i  SrNGLEVALUED(/)  is  equisatisfi- 
able to  PAIR  JN(x,t/,/)  A  PAIRJN(x,y',/)  A  y  ^  y',  which  is  easily  express- 
ible as  a  conjunction  of  positive  atoms  of  type  (1).  It  is  convenient  to  restrict 
ourselves,  without  loss  of  generality,  to  the  problem  of  injective  satisfiability , 
where  a  set-theoretic  formula  P  is  said  to  be  injectively  satisfied  by  a  model  M 
if  M  satisfies  P  and  M  maps  distinct  variables  into  distinct  sets  (in  which  case 
M  is  called  an  injective  model  of  P).  Plainly,  as  shown  in  [Can],  the  injective 
satisfiability  problem  is  equivalent  to  the  ordinary  satisfiability  problem. 

Summing  up  we  have 

LEMMA  1.1    The  satisfiability  problem  for  propositional  combinations  of  atoms 
of  type  (1)  is  equivalent  to  the  injective  satisfiability  problem  for  conjunctions 
of  positive  atoms  of  type  (1). 

In  the  above  discussion,  we  showed  that  constructs  qo  =  0,  x  C  y,  x  =  y  D  z 
(and  their  negations)  can  be  expressed  in  the  language  C.  Other  constructs 
expressible  in  C  are: 

r  =  Rf,  where  Rf  =  {q  :  [p,q]  €  pairs(/),  for  some  p}; 
RESTR(g,f,x),sta.ndmgfoT(Vp)(Vq)([p,q]eg~([p,q]ef  A  p  G  as)); 
y  =  f[x],  where  f[x]  =  {q  :   [p, q]  G  pairs(/),  for  some  p  in  x}; 
y  —  /_1[x],  where  /_1[x]  =  {p  :  [p,g]  G  pairs(/),  for  some  q  in  x}; 
INJECTIVE(/),  standing  for  (V  p)(V  p')(V  q){[p,q]  G  /  A  [p',q]  ef^p=  p'). 

Indeed,  a  clause  of  type  r  =  Rf  can  be  eliminated  by  r  =  Dg  A  ENV(<7,/), 
with  g  a  new  variable;  RESTR(<7,/,x)  is  equivalent  to  D(f  \  g)  D  x  =  0  A 
D(5  \  /)  =  0   A   Dg  C  x;  y  =  f[x]  is  equisatisfiable  to  RESTR(5,/,x)   A   y  = 


Rg\  V  =  f'1^]  is  equisatisfiable  to  INV(flr,/)  A  y  =  g[x);  INJECTIVE(/) 
is  equisatisfiable  to  INV(<7,  /)  A  SINGLEVALUED(g)  whereas  clauses  of  type 
-i  INJECTIVE(/)  can  be  eliminated  by  INV(s,/)  A  -.  SINGLEVALUED(p). 
Before  closing  the  present  section,  we  intend  to  introduce  some  terminology 
on  graphs  which  will  be  used  later  on  in  Section  3  (cf.  [Jec]  and  [PaP]). 

By  a  graph  G  we  mean  a  set  TV  of  nodes  together  with  a  set  E  C  TV  x  TV  of 
edges.  Usually  we  write  u  =>  v  to  denote  the  edge  which  connects  the  startpoint 
u  with  the  endpoint  v. 

DEFINITION  1.2  A  graph  G  =  (N,E)  is  said  to  be  well-founded  if  it  has 
no  infinite  descending  chain. 

Notice  that  an  analogue  of  the  arithmetic  induction  principle  holds  for  well- 
founded  graphs.  As  an  application,  given  a  well-founded  graph  G  —  (A7, 75),  a 
notion  of  height  can  be  easily  defined  on  TV.  We  put  inductively 

height(u)  =  0  if  v  has  no  predecessors , 

height(i;)  =  sup{height(u)  +  1  :  u  =>  v  is  in  E]  . 

DEFINITION  1.3  A  graph  G  =  (N,E)  is  said  to  be  (quasi- jextensional,  if 

for  all  V\,V2  G  TV  , 

{u  £  Ar  :  u  =>  v\  is  in  E}  =  {u  £  TV  :  u  =>  i>2  is  in  E}    (^  0) 

implies  v\  =  vi . 

Finally  we  will  need  the  concept  of  representation  of  a  well-founded  graph. 

DEFINITION  1.4  A  function  R  defined  on  the  set  N  of  nodes  of  a  well- 
founded  graph  G  =  (N,E)  and  with  values  on  a  class  of  sets  is  called  a  repre- 
sentation of  G  if  for  all  ui,t>2  £  N 

(i)  R{v\)  =  R(V2)  implies  t>i  =  v2, 
(ii)  R{v\)  G  R(v2)  if  and  only  if  V\  =>•  v?  is  in  E . 

Let  G  =  (N,E)  be  a  well-founded  graph  and  let  I  be  a  function  defined 
on  TV  and  with  values  on  a  class  of  sets.  Put  inductively  R(v)  =  {R(u)  :  u  => 
v  is  in  E)  U  I(v) .  [PaP]  gives  necessary  and  sufficient  conditions  on  I  for  R  to 
be  a  representation  of  G. 


2      THE  DECISION  ALGORITHM 

Let  P  be  a  conjunction  of  simple  clauses  of  type  (1).  For  technical  reasons,  and 
without  any  loss  of  generality,  we  assume  that  P  contains  the  following  clauses 

qo  =  qo\qo,U  =  DU,  INV(U,U)  ,x\U  =  q0,x6U,  PAIRJN(x,j/,  U),    (3) 

for  all  variables  x  and  y  occurring  in  P  and  distinct  from  U ,  where  the  variable 
U  occurs  in  P  only  within  the  clauses  (3).  To  prove  that  the  above  assumption 
does  not  affect  in  any  way  our  decidability  result,  we  only  need  to  verify  that 
given  a  set  Q  of  clauses  of  type  (1),  and  putting 

Q'  =  Q     A      90  =  90  \  9o   A   U  =  DU   A   INV(c/,  U) 

A  /\      {x\U  =  9o  A  x  £  U  A   PAIRJN(x,j/,t/))  , 

x ,y    occur 
i-n    Q 

with  90  and  U  new  variables  not  already  occurring  in  Q,  then  Q  and  Q'  are 
equisatisfiable. 

Clearly  any  model  M'  of  Q'  is  a  model  for  Q.  On  the  other  hand  let  M  be 
a  model  for  Q  and  show  how  M  can  be  extended  to  a  model  for  Q'.  Firstly, 
put  M90  =  0,  so  that  90  =  90  \  9o  is  true  in  the  model  M  so  extended.  Next  let 
a  be  a  limit  ordinal  such  that 

rank(Mx)  <  a  ,  for  all  x  occurring  in  Q  . 

(See  [Jec]  or  [Can]  for  the  definitions  of  limit  ordinal,  rank,  von  Neumann 
hierarchy  of  sets,  etc.).  Then  we  put 

MU  =  VQ  , 

where  Va  is  the  a-th  level  of  the  von  Neumann  hierarchy  of  all  sets,  i.e.  V^  is 
the  set  of  all  sets  having  rank  less  than  the  ordinal  a.  It  is  immediate  to  verify 
that  M  so  extended  models  correctly  all  conjuncts  in  Q' . 

So,  let  P  be  a  conjunction  of  literals  of  type  (1)  which  satisfies  the  additional 
hypothesis  introduced  at  the  beginning  of  the  present  section.  Let  M  be  an 
injective  model  of  P.  Below  we  will  derive  a  collection  of  effectively  verifiable 
conditions  on  the  structure  of  P  which  are  necessary  for  P  to  be  injectively 
satisfiable.  In  the  next  section  we  will  prove  that  such  conditions  are  also 
sufficient  for  the  injective  satisfiability  of  P,  therefore  proving,  in  view  of  Lemma 
1.1,  that  the  class  of  formulae  in  the  language  C  has  a  solvable  satisfiability 
problem. 


Up  to  the  end  of  this  section  M  will  denote  a  given  and  fixed  injective  model 
of  P. 

Let  V  —  {j/i,2/2,- ■  •  ,2/m}  be  the  collection  of  all  distinct  variables  occurring 
in  P. 

The  presence  in  P  of  clauses  (3)  yields  the  following  lemma. 

LEMMA  2.1      (a)  Mx   G   U,   [Mx,My]  G   MU,   and  Mx   C   MU,  for  all 
variables  x,y  in  V  \  {U}  . 

(b)  If[p,q]  G  MU  then  p  G  MU.   Conversely,  if  p  G  MU,  then  [p,q]  G  MU, 
for  some  q. 

(c)  [P,<l}  £  MU  if  and  only  if[q,p]  G  MU,  for  all  pairs  [p,q\. 

Let  ai,a2,  ■  ■  ■  ,on  be  the  nonempty  regions  of  the  Venn  diagram  of  the 
sets  Myi,My2,.-  .,Mym  in  the  universe  MU  (notice  that  by  Lemma  2.1(a) 
U£Li  Myi  -  MU).  Then  each  set  a,  is  either  wholly  contained  in  Mx  or  wholly 
disjoint  from  it,  for  each  x  in  V,  and  we  can  define 

/  0    if  <T,-nMy  =  «  m 

^=1   1     if  a,  CM,  '  (4) 

where  y  ranges  over  V. 

We  put  II  =  {7Ti,7r2  . . .  ,7rn}.  Notice  that  II  is  a  subset  of  the  set  of  all 
0/1-valued  functions  defined  on  V,  which  is  easily  calculated.  Furthermore,  for 
each  y  in  V  we  have 

My=      (J      a\  (5) 

irgn 

where  we  designate  by  av  the  region  of  the  Venn  diagram  relative  to  the  model 
M  and  the  set  of  clauses  P  which  induces  the  function  x,  according  to  the 
definition  (4). 

From  (5)  and  the  disjointness  of  the  sets  <t's,  we  can  easily  deduce  some 
properties  of  the  maps  7r's.  Let  x  —  y{J  z  occur  in  P.  Then  Mx  =  My  U  Mz, 

u  ^  U  ^  U  /=      u     **• 

;r(x)  =  l  7r(y)  =  l  7r(2)  =  l  7r(y)  =  lV7r(z)  =  l 

Hence  for  each  it  G  II,  ir(x)  =  x(y)  V  n(z),  where  we  have  identified  0  and  1 
with  the  truth  values  "false"  and  "true",  respectively.  Analogously,  if  x  =  y\z 
occurs  in  P,  then  we  can  prove  that  7r(x)  =  7r(j/)   A   -nr(z),  for  all  tt  in  IT. 


DEFINITION  2.2  A  0/J -valued  function  n  over  V  such  that  tt(x)  =  ir(y)  V 
7r(z)  (resp.  7r(x)  =  n(y)  A  -i7r(z)j  whenever  x  =  yU  z  (resp.  x  =  y  \  z)  occurs 
in  P  is  called  a  place  of  P. 

We  have  therefore  showed  that  II  is  a  set  of  places  of  P. 
Remark.  In  what  follows  we  will  often  write  iC  i  when  n(x)  =  1 .  • 

Next,  let  x  be  in  V  \  {U}.  It  follows  from  Lemma  2.1(a)  that  Mx  G  MU 
and  therefore  Mx  G  a*  ,  for  some  place  7rx.  Notice  that  if  x  G  y  occurs  in  P, 
then  Mx  G  My,  which  in  particular  implies  ct*'1  C  My,  i.e.  xx(y)  =  1. 

DEFINITION  2.3  Given  a  variable  x  in  V  \  {£/},  a  place  ■k  is  said  to  be  at 
the  variable  x  if  ir(y)  —  1  for  all  £-clauses  x  G  y  appearing  in  P. 

Hence  we  have  shown  that  the  map  x  >— >  nx  defined  above  associates  each 
variable  in  P  distinct  from  U  with  a  place  at  the  same  variable.  Analogously, 
we  can  set  the  following  definition. 

DEFINITION  2.4  Given  two  variables  x  and  y  in  V  \  {U},  a  place  it  is 
said  to  be  at  the  pair  [x,y]  ifn(f)  =  1  for  all  clauses  of  type  PAIRJN(x,y,  f) 
occurring  in  P. 

Therefore,  for  every  x,y  in  V  \  {U},  by  letting  -Kx'y  be  the  place  of  P  such 
that  [Mx,  My]  G  a**'"  (cf.  Lemma  2.1(a)),  we  have  that  wx'v  is  a  place  of  P  at 
the  pair  [x,  y}. 

Having  proved  the  existence  of  the  set  of  places  n  and  of  the  maps  n-nr1 
and  (x,  y)  h*  xx'y,  such  that  xx  and  irx'y  are  places  of  P  respectively  at  the 
variable  x  and  at  the  pair  [x,y],  we  begin  by  listing  a  collection  of  conditions 
which  are  necessary  for  P  to  be  satisfiable. 

Let  x  and  y  be  any  two  distinct  variables  in  P.  Then,  as  the  model  M  is 
injective,  Mx  ^  My,  so  that  by  (5)  there  must  exist  a  place  i  £  II  such  that 
7r(x)  7^  n{y)-  This  gives  us  a  first  necessary  condition. 

Condition  Cl.  For  all  distinct  x,y  occurring  in  P,  there  exists  a  place  of  P, 
7r  G  n  such  that  n(x)  ^  n(y). 

Next  we  observe  that  the  rank  ordering  over  {&i,o~2,  ■  ■  ■  ,&n}  induces  a  linear 
ordering  <  over  n  such  that 

if  rank(CTQ)  <  rank(^)  then  a  <  f3  ,  for  all  a,  (3  G  n  .  (6) 


Let  7r(x)  =  1,  for  some  it  G  II  and  x  G  V  \  {U}.  Then,  plainly,  rank(a'r)  < 
rank(Mx)  <  rank(<r'rI),  so  that  tt  <  ttt.  This  yields  a  second  necessary  condi- 
tion. 

Condition  C2.  Ifir{x)  =  1,  with  n  G  II  and  i£V\  {[/},  i/ien  7r  <  7T1. 

It  is  easy  to  show  that  in  the  absence  of  the  map  constructs  D,  INV, 
PAIRJN,  and  SINGLEVALUED,  conditions  Cl  and  C2  are  also  sufficient  for 
the  injective  satisfiability  of  P  (see  [FOS];  in  fact  [FOS]  gives  an  effective  pro- 
cedure which  produces  a  model  of  P,  when  one  such  exists). 

All  the  essential  complications  that  need  to  be  faced  are  connected  with 
the  presence  in  P  of  finitely  many  clauses  of  the  form  d  =  Df,  INV(/, g), 
PAIRJN(i,j/,/),  SINGLEVALUED(/).  Note,  for  example,  that  in  the  pres- 
ence of  such  clauses  a  satisfiable  set  of  statements  may  possess  infinite  models 
only,  the  statement 

/^0  A  f  =  Df  (7) 

being  a  case  in  point.  This  has  the  model 

/={0,  [0,1],  [[0,1],  2],  [[[0,1],  2],  3],...}, 

but  since  each  x  G  /  is  a  member  of  a  member  of  a  member  of  some  y  G  /,  (7) 
cannot  have  finite  models. 

The  following  definitions  take  a  step  toward  elucidating  the  logical  weight 
of  clauses  in  P  of  type  d  =  Df,  INV(/,$),  and  SINGLEVALUED(/). 

For  each  a  G  II,  put 

dom(a)  =  {/3  G  n  :  Dom(<rQ)  na"/  0},  (8) 

inv{a)  =  {/3  G  II  :  there  exists  [p, q]  G  cra  such  that  [q,p]  G  cr0}  ,         (9) 

so  that  dom  and  inv  are  both  maps  from  II  into  pou;(II). 

The  maps  dom  and  inv  have  some  useful  properties. 

Let  f3  G  dom(a)  and  let  d  =  Df  be  a  .D-clause  of  P  such  that  a  C  f.  Hence 
aa  C  Mf,  so  that  Dom(crQ)  C  Dom(M/)  =  Md,  which  by  (8)  yields  a0  C  Md, 
i.e.  0Cd. 

Next,  let  j3  G  inv(a).  It  follows  immediately  from  the  definition  (9)  itself 
that  a  G  inv((3).  Moreover,  assume  that  either  INV(/,  g)  or  INV(<7,/)  occurs  in 
P.  If  a  C  /,  i.e.  aQ  C  Mf,  let  [p,q]  G  aa  such  that  [q,p]  G  a0.  As  \p,q]  G  Mf, 
we  have  [q,  p]  G  Mg  implying  a^  C  Mg,  i.e.  (3  C  g.  Analogously,  we  can 
prove  that  if  f3  C  g  then  a  C  /;  therefore,  summing  up,  we  have  proved  that  if 


(3  £  inv(a)  and  either  INV(/,£f)  or  INV(p, /)  occurs  in  P,  then  a(/)  =  1  if  and 
only  if /?(5)  =  1. 

Notice  also  that  if /3  £  inv(a),  then  pairs(a°'),  pairs(<7/?)  /  0,  i.e.  Dom(ffa), 
Dom(a^)  /  0,  so  that  by  Lemma  2.1  we  have  Dom(aQ),  Dom(a^)  C  MU, 
which  in  turn  implies  dom(a),  dom((3)  /  0.  In  addition,  if  dorn(a)  ^  0,  then, 
by  (8),  pairs(<7°)  ^  0.  But,  from  Lemma  2.1(c),  (pairs(cr°))_1  C  MU,  thereby 
proving  that  inv(a)  ^  0. 

The  preceding  discussion  gives  us  the  following  necessary  conditions. 

Condition  C3.  If  0  £  dom(a),  then 
(i)  inv(a)  ^  0; 
(ii)  for  all  D-clauses  d  =  Df  in  P,  ifa(f)  =  1  then  j3(d)  =  1. 

Condition  C4.  If  (3  &  inv(a),  then 
(i)  a  £  inii/3); 
(ii)  dom(a)  /  0; 
(Hi)  for  all  WV-clauses  INV(f,g)  or  INV(g,f)  in  P,  a(f)  -  1  if  and  only  if 

In  order  to  state  the  next  condition,  we  need  to  introduce  the  notion  of 
Z)-pair. 

DEFINITION  2.5  A  £>-pair  (relative  to  P,  II,  dom,  etc.)    is  a  pair  (T,ir) 
with  T  C  II  and  tt  £  II  such  that 

(i)  r  ±  0; 
(ii)  tt  £  dom(7),  for  all  7  £  T; 

(Hi)  for  all  71,72  £  I\  if  fi(f)  =  72(/)  =  1>  for  some  variable  f  such  that  the 
clause  SINGLEVALUED(/)  appears  in  P,  then  71  =  72; 

(iv)  for  all  D-clauses  d  =  Df  present  in  P,  ifir(d)  =  1  then  there  exists  70  €  T 
such  that  7o(/)  =  1. 

We  have  the  following  lemma. 


LEMMA  2.6  Let  tt  G  II  and  let  p  G  ct\  Put 

rp  =  {7en  :  Pe  Dom^)}.  (io) 

Then  (rp,7r)  is  a  D-pair. 

Proof.  We  need  to  verify  that  conditions  (i)-(iv)  of  Definition  2.5  are  all 
satisfied. 

Condition  (i)  follows  immediately  from  Lemma  2.1(b). 

Concerning  (ii),  note  that  if  7  G  Tp  then  p  G  Dom(a^)  n  a*,  i.e.,  by  (8), 
7r  G  dom(f). 

Next  let  7!, 72  G  T  and  suppose  that  7^/)  =  -y2{f)  =  1,  where 
SINGLEVALUED(/)  occurs  in  P.  We  have  p  G  Domfa71)  n  Dom(a'Y2), 
that  is  there  exist  qx  and  q2  such  that  [p,q\]  G  a"*1  and  [p,q2]  G  a0,2.  But 
a71  U  a12  C  M/  and  M  f  is  singlevalued.  Therefore  91  must  coincide  with  q?, 
i.e.  [p,qi]  G  <t71  n  a72.  As  the  sets  ct's  are  pairwise  disjoint,  it  follows  that 
7j  =  72,  thus  verifying  condition  (iii). 

Finally,  as  regards  (iv),  let  d  =  Df  be  a  .D-clause  in  P  such  that  n(d)  =  1. 
Then  p  E  a*  C  Md  =  Dom(M/),  i.e.  [p,q]  G  M/  =  U-,(/)=i  <^  for  some  ^ 
i.e.  [p,q]  G  cr70  for  some  place  70  such  that  7o(/)  =  1-  In  particular  one  has 
p  G  Dom(a"'0)  n  a*,  which  yields  70  G  T  and  in  turn  completes  the  verification 
of  condition  (iv).  • 

Let  a  G  II  be  such  that  dom(a)  ^  0.  Hence  there  must  exist  tt  G  II  such 
that  Dom(crQ)  n  a*  ^  0.  Let  p  G  Dom(a°)  n  a*.  From  the  preceding  lemma 
it  follows  that  (rp,7r)  is  a  .D-pair,  and  since  obviously  a  G  Tp,  we  have  the 
following  necessary  condition. 

Condition  C5.   Let  a  G  II  such  that  dom(a)  ^  0.    Then  there  exists  a  D-pair 
(T,7r)  such  that  a  G  T. 

For  any  two  sets  s,t  write  s  G*  t  if  there  exists  a  chain  of  intermediate 
elements  s%,  s2,  ■  ■ .  ,Sk,  "with  k  >  0,  such  that  s  G  «i  G  s2  G  •  •  •  G  s/,.  G  t.  Then 
for  each  variable  x  in  P  distinct  from  U  we  put 

nx  =  {tt  G  n  :  Mi  G*  a"}.  (11) 

By  definition,  for  every  x  G  V  \  {U}  we  have  Mi  G  cr*1  (see  the  discussion 
preceding  Definition  2.3).  Hence  we  obtain  another  necessary  condition. 

Condition  C6.  For  all  x  in  V  \  {U},  ttx  G  11*. 
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Moreover,  let  a(x)  -  1  and  7r  €  IIT,  where  x  £  V  \  {U}.  Therefore  <r°  C 
Mx  G*  a*,  which  yields  rank(a°)  <  ranker*).  By  (6)  the  latter  inequality 
implies  a  <  it.  Hence  we  have 

Condition  C7.  Let  a(x)  =  1  and  x  G  nx  for  some  x  £  V\{U}.   Then  a  <  7r. 

Notice  that  condition  C2  is  a  consequence  of  conditions  C6  and  C7. 

RecaU  that,  by  definition,  [Mx,My]  £  a*''v ,  for  all  x,y  £  V  \  {U}  (see 
the  discussion  just  after  Definition  2.4).  Therefore  nx'y  G  nx  n  Ily.  Also, 
as  Mx  e  DomfCT"1'51)  n  7rx,  we  have  xx  £  dom(-Kx,y).  Finally,  notice  that 
[Mx,My]  £  a'1'"  and  [My,Mx]  £  o*v,x ,  for  aU  x,y  £  V  \  {U}.  Hence  (9) 
yields  ny'T  £  inv(-xx'y). 

Summing  up  the  preceding  discussion,  we  obtain  the  following  condition 
which  is  necessary  for  the  injective  satisfiability  of  P. 

Condition  C8.  For  all  x,y  £  V  \  {U}  we  have: 

(i)  nx-y  £  nx  n  ny; 

(ii)  irx  £  dom(nx>y); 
(Hi)  xy>x  £  iniiTrx'y). 

Put,  as  in  (10),  Tmt  =  {7  G  n  :  Mx  £  Dom(^)},  with  x  £  V\{U}.  Then 
clearly  T\{T  C  nx  and  ttx'v  £  Tmx,  for  each  y  £  V  \  {U}.  Moreover,  for  each 
7  G  Ta/x,  since  Mx  £  Dorafa1)  then  [Mx,q]  £  o"1  for  some  q.  But  therefore 
by  Lemma  2.1(c)  and  (9)  [q,Mx]  £  os ,  for  some  6  £  inv{a).  In  particular, 
since  Mx  £*  o8  we  have  also  6  £  inv(a)  fl  Ilx.  Observe,  in  addition,  that  since 
Mx  £  a*1 ,  from  Lemma  2.6  it  follows  that  (Tmx,ttx)  is  a  .D-pair. 

Hence  we  deduce  the  following  necessary  condition. 

Condition  C9.  Let  x  £  V  \  {U}.   Then  there  exists  a  D-pair  (I\7rx)  such  that 

(i)  r  c  nX)- 

(ii)  Trx>y  £  T,  for  each  y  inV\{U}; 
(Hi)  inv{"f)  n  IIj;  /  f),  for  each  7  G  T. 
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Next,  let  7r  e  II.  Since  a*  C  MU  =  Dom(MU),  it  follows  that  for  some 
a  G  IT  a*  n  Dom(<r°)  7^  0.  Therefore  Lemma  2.6  implies  that  there  exists  a 
.D-pair  (I\7r). 

If,  moreover,  n  G  UT,  for  some  i6V\  {[/},  then  Mx  G*  aT .  Choose  pea* 
such  that  Mx  G*  {p}-  Then  it  follows  again  from  Lemma  2.6  that  (rp,;r)  is 
a  .D-pair.  In  addition,  let  7  G  Tp.  We  have  p  G  Dom(<r"1'),  so  that  Mx  £*  a1, 
i.e.  7  G  11*.  Also,  as  p  G  Dom(a7),  [p,g]  G  cr1  for  some  9.  Lemma  2.1(c) 
implies  that  [q,p]  G  os  for  some  6  G  II.  In  fact,  by  (2.7),  6  G  inv  (7)  and  since 
Mx  G*  ct5,  we  have  also  S  G  IIr. 

The  preceding  discussion  is  summarized  in  the  following  condition. 

Condition  CIO.  For  each  n  G  II  there  exists  a  D-pair  (T,7r).  In  addition,  for 
each  n  G  Ux,  with  x  G  V  \  {U},  there  exists  a  D-pair  (T,ir)  such  that  rcilj 
and,  for  each  7  G  T,  inv(i)  l~l  11^  /  0. 

Clauses  of  type  SINGLEVALUED(/)  have  already  been  taken  into  account 
within  the  definition  of  .D-pairs.  Another  condition  concerning  such  clauses, 
which  also  concludes  our  list  of  necessary  conditions,  is  the  following. 

Condition  Cll.  //  the  clause  SINGLEVALUED(/)  appears  in  f,  then  for 
each  x,y,y'  G  V  \  {U}  such  that  xx'y(f)  —  ftx,y  (/)  =  I  we  have  y  =  y'. 

To  show  that  condition  Cll  is  necessary  together  with  conditions  Cl-ClO 
for  the  injective  satisfiability  of  P  we  observe  that  if  nx'y(f)  =  xx,y  (/)  =  1,  then 
[Mx,My],  [Mx,My']  G  Mf.  But  Mf  must  be  singlevalued,  hence  My  =  My'. 
The  equality  y  —  y'  follows  immediately  from  the  injectivity  of  M. 

The  results  proved  in  this  section  can  be  summarized  in  the  following  lemma. 

LEMMA  2.7  Let  P  be  a  conjunction  of  simple  clauses  of  type  x  =  y  I)  z, 
x  =  y\z,  x  G  y,  d  =  Df,  PAIR JN(x, </,/),  INV(/,$),  SLNGLEVALUED(/), 
containing  also  clauses  (3).  If  P  is  injectively  satisfiable,  then  there  exist 

(i)  a  set  II  of  places  of  P; 

(ii)  a  map  x  1—  ttx  from  V\{U}  into  IT  such  that  tx  is  a  place  at  the  variable 
x,  for  all  x  G  V  \  {U}; 

(Hi)  a  map  (x,y)  k+  7rT,y  from  (V  \  {U})2  into  II  such  that  wx'y  is  a  place  at 
the  pair  (x,y),  for  all  x,y  G  V  \  {U}; 

(iv)  a  linear  ordering  <  over  II; 

(v)  two  maps  dom  and  inv  from  U  into  pow(Yl); 
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(vi)  a  map  x  i-*  nx  from  V  \  {U}  into  pow(Il)  \  {0} 
such  that  conditions  Cl-Cll  are  satisfied. 

Plainly,  all  conditions  stated  in  the  preceding  lemma  are  effectively  verifi- 
able. Therefore,  in  order  to  establish  our  main  result,  to  viz.  that  the  class  of 
unquan tiffed  set-theoretic  formulae  in  the  language  C  has  a  solvable  decidabil- 
ity problem,  it  only  remains  to  show  that  the  conditions  of  Lemma  2.7  are  also 
sufficient  for  the  injective  satisfiability  of  P. 

This  will  be  done  in  the  next  section. 

3      PROOF  OF  SUFFICIENCY  OF  CONDITIONS 
Cl-Cll 

Again,  let  P  be  a  conjunction  of  positive  clauses  of  type  (1)  containing  also 
clauses  (3)  and  let  V  be  the  set  of  variables  occurring  in  P.  Furthermore, 
assume  that  there  exist  II  =  {tt1,x2,  . . .  ,7r„},  x  i->  irT,  [x,y]  >->  ir1^,  <, 
dom  :  II  —  pow(II),  inv  :  II  -*  pow(II),  x  •-»•  IIX  as  from  (i)-(vi)  of  Lemma 
2.7  and  satisfying  conditions  Cl-Cll  of  the  preceding  section. 

In  this  section  we  will  show  that  under  such  hypotheses  P  has  an  injective 
model.  More  specifically,  we  will  prove  that  an  infinite,  well-founded,  quasi- 
extensional  graph  (called  the  skeleton  model  of  P)  can  be  built  (cf.  Definitions 
1.2,  1.3).  The  skeleton  model  of  P  will  satisfy  certain  closure  properties  which 
depend  on  P  and  II,  a:  > — >■  nx,...,x  >-*  Ux.  Subsequently  we  will  show  that 
this  graph  admits  a  representation  (cf.  Definition  1.4)  from  which  an  injective 
model  M*  of  P  can  be  easily  extracted. 

In  the  presentation  of  the  below  Construction  Process  (C.P.),  we  will  make 
use  of  the  following  definition. 

DEFINITION  3.1   For  any  two  sets  T1,T2  C  IT,  we  put 

Ti  -<  T2  if  there  exist  72  £  ^2  such  that  71  <  72  ,  for  all  71  G  Ti  . 

In  particular,  for  all  x,y  6  V ,  we  put 

x^yif{xeU:  it  C  x}  -<  {ir  G  II  :  irCj). 

Notice  that  the  relation  -<  is  acyclic  and  therefore  extendible  to  a  linear 
ordering,  which  troughout  the  present  section  will  be  denoted  by  the  same 
symbol  -<. 

In  detail,  the  skeleton  model  is  constructed  by  the  following  infinite  process. 
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CONSTRUCTION  PROCESS 

[INITIALIZATION  PHASE] 

(1.1)  Let  v\,  V2,  V3, . . .  be  a  countable  infinity  of  distinct  objects  called  nodes. 
Put 

(1.2)  TV  <-  0 

(1.3)  E  -  0 

(1.4)  G<-(N,E), 

where  G,  N  and  E  stand  respectively  for  the  initial  values  of  the  skeleton 
model  G,  its  set  of  nodes  and  edges. 

(1.5)  FOR  EACH  E  C  II  DO 

(1.6)  pick  an  unused  node  uv  and  put 

(1.7)  N  -  JVu{t.E) 

(1.8)  node  (£)  <-  us. 

END  FOR. 

[Note:  The  function  "node"  maps  pow(II)  into  N .  For  simplicity,  we  will 
write  node(7r)  instead  of  node({7r});  also,  for  each  variable  x  occurring  in 
P  we  will  write  node(i)  in  place  of  node({7r  €  II  :  7r(z)  =  1}).] 

(1.9)  Arrange  the  set  of  unusued  nodes  into  (n  +  2)  infinite  disjoint  subsets 
Si,S2,-.  .,5„,5'n+i,5n+2,  where  n  -  | IT ] . 

[Comment:  As  will  be  clear  from  the  code  of  the  following  FOR-loop, 
the  nodes  in  Si  will  be  made  sons  of  node(7r,),  for  i  =  1,2, ...,n.  Sn+i 
contains  an  infinite  supply  of  nodes  which  will  be  used  to  force  suitable 
closure  properties.  For  technical  reasons  we  will  temporarily  allow  certain 
edges  to  be  labeled.  Nodes  in  Sn+2  will  then  be  used  in  the  elimination 
process  of  labeled  edges.] 

(1.10)  FOR  EACH  ie  {l,2,...,n}  DO 

Put 

(1.11)  N  4-  Nl)St 
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(1.12)  FOR  EACH  v  G  S,  DO 

Put 

(1.13)  E  —  E  U  {v  =>  node(7r,)} 

(1.14)  Propagate(v,TTi) .  [Note:  The  code  for  the  procedure  Propagate 
will  be  shown  below.] 

END  FOR  EACH. 

END  FOR  EACH. 

[Note:  The  purpose  of  the  present  algorithm  is  to  force  certain  closure 
properties,  which  will  be  discussed  at  length  below,  on  the  skeleton  model. 
To  this  end,  each  node  v  in  N  for  which  the  edge  v  =>  node(7r,)  is  in  E,  for 
some  i  —  l,2,...,n,  will  opportunely  be  processed.  It  will  therefore  be 
convenient  to  arrange  all  nodes  in  5i  U  ^2  U  •  •  •  U  5„  in  an  ordered  list  Lq. 
Also,  we  will  maintain  a  second  ordered  list  L\  which  will  contain  new 
nodes  produced  during  the  processing  of  old  nodes.  A  "marW  function 
m  from  nodes  of  Lq  and  L\  into  subsets  of  II  will  also  be  maintained.] 

(1.15)  Arrange  in  any  convenient  way  all  nodes  in  Si  US2U  •  •  -U5n  in  an  ordered 
list  Lq. 

(1.16)  FOR  EACH  node  v  in  L0  DO 
Put 

(1.17)  m{v)  —  ill 
END  FOR  EACH. 

(1.18)  Initialize  L\  to  the  empty  list. 

(1.19)  FOR  EACH  x  G  V  \  {U}  DO 
Put 

(1.20)  E  «-  E  U  {node(x)  =>  node(7T*)} 

(1.21)  Add  node(i)  at  the  end  of  the  list  L\, 

(1.22)  Propagate(node{x),  node(7rx)). 

Put 

(1.23)  m(node(x))  =  {*x'y  G  n  :  y£V\  {U}} 
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END  FOR  EACH. 
(1.24)  FOR  EACH  [x,y]  G  (V  \  {U})2  DO 

(1.25)  Pick  a  new  node  vx<y  from  Sn+i  and  discard  it  from  Sn+\. 
[Comment:  The  node  vItV  represents  the  pair  [x,y\] 

Put 

(1.26)  N*-NU{vXtV} 

(1.27)  E  —  EU  (node(2-)  =3>  vXtV ,  node(y)  =>  vXty,vx,y  =►  node(7rx'J/)} 

(1.28)  Add  vx,y  at  the  end  of  the  list  L\. 

(1.29)  Propaga^e^,,,,  node(7rx'y)) 

(1.30)  m(«X)I,)  -  0 

END  FOR  EACH. 

[END  INITIALIZATION  PHASE] 
[STABILIZATION  PHASE] 

(5.1)  i«-  0 

(5.2)  DO  FOREVER 

(5.3)  i*-»  +  l; 

(5.4)  r  <—  i  mod  2; 

(5.5)  IF  the  list  Zr  is  empty  THEN  CONTINUE; 
END  IF. 

(5.6)  Let  v  be  the  node  contained  in  the  first  location  of  LT.    Discard  v 
from  LT. 

(5.7)  Let  7r  be  the  unique  place  in  II  such  that  v  =>  node(7r)  is  in  E. 

(5.8)  Let  Tv  —  {v}  U  {w  G  N  :  there  is  a  path  leading  from  w  to  v}. 

(5.9)  CASE  Tv  n  {node(x)  :  x  G  V  \  {U}}  =  0: 

(5.10)  Let  (T,7r)  be  a  .D-pair  such  that  m(v)  C  T. 

(5.11)  FOR  EACH  7G  T\m{v)  DO 

(S.12)  Let  t-y  G  inu(7),  and  let  (/-,,/?-,)  be  a  D-pair  such  that  i~,  G 
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(S.13)  Stabilize(v,f,  i-,,(3~,)  [Note:  The  code  for  the  procedure  Sta- 
bilize is  shown  below.] 
END  FOR  EACH. 
(S.14)  CASE  Tv  n  {node(x)  :  x  G  V  \  {U}}  /  0: 

(5.15)  Let  x0  be  a  -(-maximal  variable  such  that  node(xo)  6  Tv  (cf. 
Definition  3.1). 

(5.16)  Notice  that  t  g  UXo. 

(5.17)  Let  (T,7r)  be  a  .D-pair  such  that  m(v)  C  T,  T  C  ITro,  and  for 
each  7  G  T    inv(7)  H  IIX0  ^  0. 

(5.18)  FOR  EACH  7  G  T  \  m(v)  DO 

(5.19)  Let  i7  G  11111(7)  n  IIX0,  and  let  (77,/3-y)  be  a  D-pair  such  that 

t-y    G    I-,- 

(5.20)  Stabilizeiv,-,^-,,^). 
END  FOR  EACH. 

END  CASE. 
END  DO  FOREVER. 

PROCEDURE  Stabilize{v,\,ii,v) 

[Note:  When  Stabilize(v,\,  fi,i>)  is  called,  v  is  a  node  in  N  and  A,//,f  are 
places  of  P  in  II.] 

(PS.l)  Let  w  be  the  first  node  in  the  list  Lq  such  that  m(w)  =  0  and  w  =>•  node(i/) 
is  in  E. 

(PS.2)  Let  uv<w  and  uw>v  be  two  distinct  nodes  in  the  set  Sn+\.    Discard  them 
from  Sn+i. 

Put 

(PS.3)  N  <-  N  U{uv>w,  uw,v}; 

(PS. 4)  £  <-  £u{v  3-  u^u,,^  =^  u„,u,,w  ^-  uw>v,v  =^  «„,„,«„,„,  =>  node(A),Uu,jt,  =; 
node(/x)}. 

(PS. 5)  Add  u„>u,  and  uWtV  at  the  end  of  the  list  L\. 

(PS.6)  Propagate(uVtW,  node(A)); 
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(PS. 7)   Propagate(uw<v,  node(fi)). 
(PS.8)  m(w)  -  {/J.}; 
(PS.9)  m(uv,w)  -  0 
(PS. 10)  m(uWtV)  *-  0 

END  PROCEDURE  Stabilize. 
PROCEDURE  Propagate(v,-K); 
(PP.1)  FOR  EACH  SCIT  such  that  {x}  C  £  DO 
Put 
(PP.2)  E  *-  E  U  {v  =>  node(S)} 
END  FOR  EACH. 
END  PROCEDURE  Propagate. 
[END  STABILIZATION  PHASE] 
[COMPLETION  PHASE] 

(C.l)  Arrange  all  startpoints  of  labeled  edges  contained  in  £  in  an  ordered  list 
L2  such  that  node(<7o)  is  the  first  element  in  L2. 

(C.2)  FOR  EACH  v  in  L2  DO 

(C.3)  Let  v',vl,  and  u#  be  distinct  nodes  in  5„+2-    Discard  them  from 

Sn+2- 

[Notice:  In  the  following  0  and  2  will  stand  respectively  for  node(go) 
and  (node(g0))z,-] 

Put 

(C.4)  N  «-  Nu{v',vL,vR}. 

(C.5)  E  <-  £U  {v  =>  v',v'  =>  vL,0  =*■  Vl,v'  =>  vR,2=>  vR). 

END  FOR  EACH. 

(C.6)  FOR  EACH  labeled  edge  v^k  w  (resp.  v  M>  w)  in  E  DO 
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(C.7)  Substitute  in  E  the  labeled  edge  v  =£■  w  (resp.    v  =>■  w)  with  the 
unlabeled  edge  vi  =>  w  (resp.  vr  =>■  w). 

END  FOR  EACH. 

[END  COMPLETION  PHASE] 

END  CONSTRUCTION  PROCESS. 

Remark.  In  what  follows,  we  will  denote  by  G/  =  (Nj,Ej),  Gs  =  (Ns,Es), 
and  Gc  —  (Nc,Ec)  the  skeleton  model  as  constructed  at  the  end  of  the  Initial- 
ization Phase,  Stabilization  Phase,  and  Completion  Phase  of  the  above  C.P., 
respectively.  • 

The  above  Construction  Process  contains  some  implicit  assertions  (cf.  for 
example  lines  (S.7),  (S.10),  (S.12),  (S.15),  (S.16),  (S.17),  (S.19),  (PS.l),  etc.). 
Below  we  will  show  that  under  the  hypotheses  stated  at  the  beginning  of  the 
present  section,  all  assertions  are  true  in  any  computation  A'  of  the  C.P.  . 
Subsequently  we  will  prove  that  the  graph  Gc  =  (Nc,Ec)  is  well-founded 
and  quasi-extensional  (cf.  Definitions  1.2  and  1.3).  Also  we  will  show  that 
Gc  enjoys  several  closure  properties  which  will  allow  us  to  define  a  suitable 
representation  Repr  of  Gc  for  which  the  assignment  M*x  =  Repr(node(x)),  for 
each  x  occurring  in  our  conjunction  P,  is  injective  and  satisfies  P. 

Let  K  be  a  computation  of  the  C.P.  above. 

We  begin  by  stating  some  simple  properties  of  the  skeleton  model  Gc  which 
can  be  deduced  by  a  mere  inspection  of  the  C.P.  code. 

LEMMA  3.2  (a)  Let  v  be  a  node  such  that  v  =*•  node(7r)  is  in  Ec  for  some 
7r  G  II.  Then,  during  the  computation  K ,  v  is  inserted  (and  subsequently 
processed  by  Stabilize,)  either  in  Lq  or  in  L\ . 

(b)  Conversely,  if  during  the  computation  K  a  node  is  introduced  in  one  of 
the  lists  Lq  and  L\,  then  there  is  a  unique  place  x  G  II  such  that  the 
edge  v  =>  node(x)  is  in  Ec  (for  specificity,  we  will  indicate  this  uniquely 
characterized  place  by  vn). 

(c)  No  u  G  S\  U  52  U  •  •  •  U  Sn  has  any  predecessors. 

(d)  node(^o)  has  no  predecessors. 

(e)  For  all  £  C  II  such  that  node(E)  g  {node  (x)  :  x  £  V  \  {U}},  node(E) 
has  no  outgoing  edges. 
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(f)  After  execution  of  (C.l),  the  elements  of  the  list  L2  are  exactly  all  nodes 
v  such  that  v  =>    node(x)  is  in  Ec  for  some  ir  G  II . 

Proof.  Concerning  (d),  it  is  enough  to  notice  that  by  (2.1)  and  Definition  2.2, 
J7r  G  II  :  7r(</o)  =  1}  =  0.  The  remaining  points  of  the  lemma  can  be  easily 
proved  by  inspecting  the  code  of  the  Construction  Process.  • 

Lemma  3.2(b)  implies  that  assertion  (S.7)  is  satisfied.  By  inducting  on  K 
we  will  show  that  assertions  (S.10),  (S.12),  (S.16),  (S.17),  and  (S.19)  are  also 
satisfied. 

Let  v  be  a  node  selected  at  line  (S.6),  let  v7r  be  the  unique  place  in  II  such 
that  v  =>  node(u7r)  is  in  Ec  and  assume  that  at  the  time  (S.9)  is  executed, 
Tv  n  {node(x)  :  x  G  V  \  {U}}  -  0,  i.e.  v  has  no  ancestor,  nor  it  is,  of  type 
node(x),  for  all  x  €  V  \  {U}.  Since  in  particular  v  ^  node(x),  for  each  x  G 
V  \  {[/},  it  follows  that  either  m(v)  =  0,  or  the  value  m(v)  has  been  set  during 
the  execution  of  fine  (PS. 8)  within  a  call  Stabilize(v' ',  A,  ii,  v).  In  the  latter  case, 
by  induction,  /x  £  inv{\)  and  \i  G  7M  for  some  Z)-pair  {I^v).  Hence  (PS.8) 
yields  m(v)  =  {/i}  C  7M.  Moreover,  since  by  (PS.l)  v  =  "tt,  it  follows  that 
the  D-pa.h  (In,v)  satisfies  all  requirements  in  (S.10).  If,  on  the  other  hand, 
m(v)  =  0,  then  the  validity  of  (S.10)  follows  from  condition  CIO. 

So,  let  (r,v7r)  be  a  £>-pair  such  that  m(v)  C  T  (as  from  (S.10))  and  let  7  G 
T\m(v)  (as  from  (S.ll)).  Definition  2.5(ii)  of  a.D-pair  implies  that  dom(f)  /  0. 
Hence,  conditions  C3(i),  C4(i)  and  (ii),  and  C5  yield  that  inv{f)  ^  0,  and  that 
for  each  i7  G  inv(~f)  there  exists  a  .D-pair  (77,/37)  such  that  i7  G  /-,.,  thus 
completing  the  verification  of  assertion  (S.12). 

Next  suppose  that  at  the  time  v  was  selected  from  L$  or  L\,  Tv  D 
{node(x)  :  x  G  V  \  {U}}  ^  0.  We  will  distinguish  two  cases,  according  to 
whether  v  =  node(x),  for  some  x  G  V  \  {U},  or  not. 

Case:  v  -  node(x),  with  x  G  V  \  {U}.  Let  x0  be  the  x-maximal  variable 
such  that  node(xo)  G  Tv.  Then  x0  =  2.  In  fact,  let  u  be  an  immediate 
predecessor  of  v.  If  u  G  Si  U52U-  •  -U5„,  then  TUH {node(y)  :  y  G  V\{U}}  =  0. 
On  the  other  hand,  if  u  G  Sn+i,  then  the  edge  connecting  u  to  v  was  inserted 
into  E  during  the  execution  of  a  call  Stabilize  (1/,  A,  n,v).  Plainly,  then 

Tu  n  {node(y)  :  y  G  V  \  {U}}  =  Tv.  n  {node(j/)  :  y  G  V  \  {c^}}  .  (12) 

It  is  then  enough  to  show  that  if  node(y)  G  Tu  for  some  y  G  V  \  {{/}  and 
u  =>•  v  is  in  £c,  then  y  -<  x.  Let  u  =>  v  and  let  j/o  be  the  -<-maximal  variable 
such  that  node(yo)  G  Tu.  From  (12),  node(j/o)  G  T^'  and  j/o  is  also  -(-maximal 
among  the  variables  y  such  that  node(y)  G  Tvl   Therefore,  by  induction  and 
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by  (S.16)-(S.19),  it  follows  that  A,/i€  IIVo  and  node(x)  G  {node(A),  node(/z)}. 
This  in  particular  yields  \{a  G  II  :  a(x)  =  1}|  =  1  and  the  unique  place  a  such 
that  a(x)  —  1  is  either  A  or  p..  If  7r(y0)  =  li  then,  by  condition  C7,  n  <  A 
and  n  <  p..  Hence  j/o  -<  x  (cf.  Definition  3.1),  thereby  showing  that  under  the 
hypothesis  that  v  =  node(x),  if  node(j/)  £  Tv,  for  some  j/  6  Vr\{f/},  then  y  ^  x. 
By  (1.20),  node(x)  =>•  node(xr)  is  in  E.  Therefore  in  the  present  case 
vir  =  7rx  which,  by  condition  C6,  is  a  member  of  IIX.  Thus  assertion  (S.16)  is 
completely  verified.  Since  v  =  node(x),  line  (1.23)  of  the  Construction  Process 
implies  that  m(v)  =  {xx'y  G  II  :  y  G  V  \  {U}}.  Condition  C9  guarantees 
that  there  exists  a  .D-pair  (T,x)  such  that  m(v)  C  T  C  IIX  and  such  that 
mt^7)  nHj/0,  for  every  7  6  T.  Hence,  plainly,  assertions  (S.17)  and  (S.19) 
hold,  at  least  in  the  case  in  which  v  =  node(x),  for  some  x  €  V  \  {U}. 

Case:  v  £  {node(x)  :  x  £  V  \  {U}}.  In  this  case  the  node  v  has  been 
inserted  into  N  during  the  execution  of  a  call  Stabilize^',  A,  fi,v),  and  since 
obviously  v  has  at  least  one  predecessor,  from  (PS.l),  (PS.5),  (PS. 9)  and  (PS. 10) 
it  follows  that  m(v)  =  0.  Notice  that  since  v  ^  node(ar),  for  all  x  £  V  \  {U}, 
then  Tt,n{node(a:)  :  x  G  V"\{C'}}  =  Tv<  n  {node(x)  :  x  6  V\{U}}.  Therefore, 
if  xo  is  the  -<-maximal  variable  in  V  \  {U}  such  that  node(xo)  G  T„,  then  as 
in  the  previous  case,  by  inductive  hypothesis  we  can  prove  that  A,/xG  nxo  and 
"tt  G  {A,//},  i.e.  (S.16)  holds.  Also,  much  as  in  the  preceding  case,  it  can  be 
proved  that  assertions  (S.17)  and  (S.19)  are  true. 

Finally,  we  conclude  the  verification  that  all  instructions  in  the  Construction 
Process  are  executable  by  observing  that  at  initialization  the  sets  5n+i,5n+2 
are  infinite,  and  that  for  each  7r  G  n  the  list  Lq  contains  infinitely  many  nodes 
w  such  that  m(w)  =  0  and  w  =>  node(7r)  is  in  Ec-  Hence,  in  particular, 
instructions  (1.25),  (PS.l),  (PS.2),  (C.l)  and  (C.3)  are  always  executable,  when 
encountered. 

The  above  discussion  can  be  summarized  in  the  following  lemma. 

LEMMA  3.3  Under  the  hypotheses  stated  at  the  beginning  of  the  present  sec- 
tion, each  computation  of  the  Construction  Process  is  successful,  in  the  sense 
that  all  assertions  (resp.  instructions)  encountered  are  valid  (resp.  executable). 

Next  we  prove  that  the  graph  Gc  =  (Nc,Ec)  is  well-founded. 

We  will  begin  by  proving  that  Gi  =  (Nj,Ej)  is  well-founded.  Observe 
that  Nj  consists  of  S\  U  52  U  •  •  •  U  Sn  plus  a  finite  number  of  additional  nodes. 
Therefore,  if  Gi  were  not  well-founded,  by  Lemma  3.2(c)  it  would  contain  a 
finite  cycle 

v0  =>•  Vi  =J>  •  •  •  =i>  t^_!  =>  v0 , 


21 


where  the  v^s  are  either  nodes  of  type  node(E),  with  L  C  II,  or  nodes  of  type 
vX}y  introduced  during  the  execution  of  the  FOR-loop  at  (1.24).  If  u,  is  a  node 
of  type  vXiV,  i  E  {0, 1, ...  ,k  —  1},  then  by  (1.27)  w,_i  G  {node(x),node(y)}  and 
Vi+i  =  node(EX)y),  for  some  Ex,y  C  II  such  that  wx'y  G  Er,y  ((*  —  1)  and  (i  +  1) 
are  to  be  taken  modulo  k).  For  specificity,  suppose  that  u,_i  =  node(x)  = 
node({7r  G  II  :  ir(x)  —  1}).  Then,  from  conditions  C8(i)  and  C7  it  follows  that 
for  each  jr  C  x,  ir  <  -kt'v.  On  the  other  hand,  if  V{  is  of  type  node(z),  for  some 
x  £  V  \  {U},  then  v,+i  =  node(Ex),  for  some  Er  C  II  such  that  nx  G  Ex-  By 
C6,  then,  for  every  it  C  x  we  have  7r  <  7rx.  In  any  case  we  have  shown  that 
by  deleting  from  the  cycle  vq  =$>  V\  =>■  •  •  •  =>  v^-i  =*•  vo  all  nodes  of  type  vXjV, 
we  obtain  a  subcycle  of  =>*  (i.e.  the  transitive  closure  of  =>),  v,0  =>*  v^  =>* 
•••  =^*  ut;t,  =>*  Uj„,  such  that  u,-,  =  node(Ej),  j  —  0,1,..., A''  —  1,  and  for 
each  j  —  0, 1, . . . ,  k'  —  1  there  is  an  Qj  G  Ej  such  that  for  all  7r  G  Ej-i  we  have 
7r  <  ar  In  particular  we  would  have  Qo  <  cq  <  •  •  •  <  a^'-i  <  ao,  which  is  a 
contradiction.  Thus  the  graph  Gj  =  (Nj,Ej)  is  well-founded. 

During  the  Stabilization  Phase,  new  edges  can  be  added  to  G  only  by  the 
procedure  Stabilize.  Notice  that  each  call  to  Stabilize  can  cause  only  finitely 
many  new  edges  to  be  added  to  G.  Therefore  to  show  that  the  Stabiliza- 
tion Phase  preserves  the  well-foundedness  of  G,  it  is  enough  to  prove  that  the 
acyclicity  of  G  cannot  be  disrupted  by  calls  to  the  procedure  Stabilize. 

So  assume  that  G  is  acyclic  prior  to  the  execution  of  a  call  Stabilize(v,  A,/j,i/). 
The  effect  on  G  of  the  call  Stabilize(v,\,n,v)  is  that  two  new  nodes,  uVtW 

L  Ft. 

and  uw<v,  are  added  to  G  together  with  the  edges  v   ^   uv>ui,   w  =>    uv<w, 

v  =**  uWtV,  w  ^  uw<v,  uv<w  =*>  node(E^),  for  all  E^  C  II  such  that  A  G  £a, 
and  uWtV  =>  node(EAJ),  for  all  EM  C  II  such  that  fi  G  EM  (observe  that  w  is  a 
node  with  no  incoming  edges  and  w  =>■  node(i/)  is  in  E;  cf.  (PS.l),  Lemma 
3.2(b),(c)  and  (1.15)).  Plainly,  the  only  way  a  cycle  could  be  introduced  into 
G  is  that  before  the  call  Stabilize{v,\,n,v)  is  made,  there  was  a  path  leading 
from  node  (E*)  to  v,  for  some  E*  C  II  such  that  E*  D  {A,/x}  /  0.  But  then,  by 
Lemma  3.2(e),  node(E*)  =  node(i*),  for  some  x*  G  V  \  {U}.  Hence  we  would 
have  Tv  n  {node(z)  :  x  £  V  \  {U}}  /  0,  thus  precluding,  by  (S.9),  the  possi- 
bility that  the  call  Stabilize(v,  A,  fi,v)  can  be  made  from  (S.13).  But  even  the 
assumption  that  the  call  Stabilize(v,\,n,v)  is  made  from  (S.20)  is  contradic- 
tory. Indeed,  by  letting  io  be  the  -(-maximal  variable  such  that  node(zo)  G  T„, 
from  (S.15),  (S.17),  (S.19)  it  would  follow  that  \,fi  G  ITXo.  Thus,  by  condition 
C7,  we  would  have  7r  <  A  and  7r  <  /x,  for  each  n  C  xo,  which,  recalling  that 
E*  D  {A,/x}  ^  0,  in  turn  would  imply  x0  -<  x*.  This,  plainly,  contradicts  the 
^-maximality  of  xo,  and  consequently  proves  that  no  cycle  can  be  introduced 
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by  the  call  Stabilize(v,  A,/z,  v). 

Hence,  at  the  end  of  the  Stabilization  Phase  the  graph  G  is  still  well-founded. 
Finally,  by  observing  that,  essentially,  the  effect  of  the  Completion  Phase 

r  p 

on  G  is  to  substitute  labeled  edges  v  %■  w  (resp.  v  =>  w)  by  unlabeled  paths 
v  =>  v'  =>  vl  =>  w  (resp.  v  =>■  v'  =>  vr  =>•  w)  of  length  3,  it  follows  plainly  that 
the  well-foundedness  of  G  is  also  preserved  during  the  Completion  Phase. 
Hence  we  have: 

LEMMA  3.4   The  graph  Gc  =  (Nc,Ec)  produced  by  the  computation  K  is 
well-founded. 

In  order  to  prove  that  the  graph  Gc  —  (Nc,Ic)  is  also  quasi-extensional, 
we  partition  the  set  of  nodes  Nc  as  follows.  In  view  of  Lemma  3.2(f),  put 
Cl\  =  {v'  :  v  =>•  node(7r),  for  some  n  €  n}  , 
Ch  —  {vl  '■  v  ^  node(7r),  for  some  it  6  II}, 
CI3  —  {vr  :  v  =j>  node(^),  for  some  x  G  n}  , 
C/4  =  {node(E)  :  SCH}, 
CZ5  =  5j  U52U---U5„  (cf.  (1.9)), 

6 

Cl6  =  Nc\\JCli, 

1=1 
where  v',vl,vr  have  been  introduced  during  the  FOR-loop  (C.2)  of  the 

Completion  Phase. 

The  following  lemma,  which  can  proved  by  a  simple  inspection  of  the  Con- 
struction Process  code,  lists  some  useful  results  concerning  the  above  partition. 

LEMMA  3.5  (a)  The  maps  v  >— ►  v',v  *-+  v^,  and  v  1— ►  vr,  from  {v  £ 
Nc  '•  v  =>  node(7r),  for  some  n}  into  Cl\,  CI2,  and  CI3,  respectively, 
defined  during  the  FOR-loop  (C.2)  of  the  C.P.  Completion  Phase,  are 
injective. 

(b)  For  each  v'  in  Cl\,  v  is  the  unique  immediate  predessor  of  v' . 

(c)  For  each  vi  in  CI2,  v'  and  0  are  the  only  immediate  predecessor  of  v^. 

(d)  For  each  vr  in  CI3,  v'  and  2  are  the  only  immediate  predecessor  of  vr. 

(e)  For  each  ECH, 

(e\)  t/£  =  0,  then  node(E)  =  node(go)  has  no  immediate  predecessor; 
(e^)  ifYs  /  0,  then  node(S)  has  infinitely  many  predecessors. 
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(f)  For  each  u  in  Cl&  there  exist  two  uniquely  determined  nodes  v  and  w  such 
that  vl  and  wr  are  the  only  immediate  predecessors  of  u.  To  stress  on 
this  dependence,  we  will  index  the  node  u  with  the  pairv,w  (thus  agreeing 
with  the  notation  used  in  (PS. 2)). 

(g)  The  partial  map  (v,w)  t-»  uVyW  defined  in  (f)  above  is  injective. 

An  immediate  consequence  of  the  preceding  lemma  is  that  for  all  Vi ,  v2  G 
CU,  i  f  4,  if  {u  G  Nc  :  u  =>  vx  is  in  Ec}  =  {u  G  Nc  :  u  =>  v2  is  in  Ec}  #  0, 
then  v\  =  v2.  On  the  other  hand,  if  vuv2  G  Cl4,  then  v^  =  node^a)  and 
v2  =  node(E2)  for  some  Ei,£2  C  II.  If  vx  ^  v2,  then  Ei  ^  S2,  so  that  there 
exist  tj  6  (Si\S2)U(S2\Si).  Let  u*  6  5j.  Therefore  by  inspecting  the  FOR- 
loop  (1. 10),  we  have  that  u'  =>  Wi  is  in  Ec  if  and  only  if  u*  =J>  v2  is  not  in  Ec, 
thus  showing  that  {u  G  A7c  :  «  =*>  «i  is  in  ^c}  ^  {u  £  Nc  '■  u  =>  v2  is  in  £<-}• 

To  complete  the  proof  of  the  quasi-extensionality  of  Gc,  it  only  remains  to 
show  that  if  vx  G  CU  and  u2  G  C/j,  with  i  jt  j  and  i,  j  ^  5,  then  there  is  a  node 
u  such  that  the  edge  u  =>  v\  is  in  £c  if  and  only  if  the  edge  u  =>•  t;2  is  not  in 
jBc-  Since  every  node  in  C/i  has  only  one  immediate  predecessor,  every  node 
in  Cl2  U  CI3  fl  Cle  has  only  two  immediate  predecessor,  whereas  every  node 
in  CI4  \  {node(qo)}  has  infinitely  many  immediate  predecessor,  we  can  further 
limit  ourselves  to  verify  the  above  property  only  for  i,j  G  {2,3,6}. 

If  v\  G  Cl2  n  Clz  and  v2  G  C/6,  then  either  v\  =  wi  or  v\  =  wr,  for 
some  node  w  such  that  the  edge  10  =>  node(7r)  is  in  Ec,  with  tt  G  II.  But, 
in  any  case,  by  (b)  and  (c)  of  Lemma  3.5,  w'  =»  Vi  is  in  Ec,  with  w'  G  Cl\, 
whereas  w'  =>  v2  is  not  in  Ec,  since  by  (f)  of  the  same  lemma  the  immediate 
predecessors  of  v2  are  contained  in  Cl2  U  CI3.  On  the  other  hand,  let  vl  G  Cl2 
and  wr  G  CI3.  Points  (c)  and  (d)  of  Lemma  3.5  imply  respectively  that  0  =>  vl 
and  {u  E  Nc  ■  u  =>  wr  is  in  Ec)  C  C/i  U  Cl2.  Hence  0  =^  wr  is  not  in  £<?, 
since  0  G  C/4.  This  concludes  the  proof  that  the  graph  Gc  is  quasi-extensional. 
Thus  we  have: 


LEMMA  3.6  At  termination  of  the  Construction  Process,   the  graph  Gc   = 
(Nc,Ec)  is  quasi-extensional. 

The  following  lemma  collects  some  closure  properties  enjoyed  by  the  graph 
Gc. 
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LEMMA  3.7      (a)  For  each  x  £  V  \  {U},  node(x)  =►  node(7rx)  is  in  Ec. 

(b)  For  each  x,  y  £  V  \  {U},  there  exists  a  unique  node  wx>y  6  Cle  such  that 
(node(:r))L  =>•  uXiy,  (node(y))ji  =>  ux>y,  and  uXiV  =>  node(^x'y)  are  in  Ec- 
(Note:  ux,y  is  an  abbreviation  for  unode(x),  node(y),'  cf  Lemma  3.5(f).) 

(c)  Let  v  be  a  node  such  that  v  =*•  node(v7r)  is  in  Ec,  with  vn  £  II.  Then 
there  exists  a  D-pair  (r,v7r)  such  that  for  each  7  £  T,  there  is  a  node  w 
for  which  uViW  =>•  node(7)  is  in  Ec,  and  viceversa,  if  for  some  node  w 
and  place  7r  £  II  the  edge  uVtU1  =>  node(7r)  is  in  Ec,  then  n  £  T. 

(d)  LeiuViWl  =>  node(7r),  uv<W2  =>  node(x)  6c  inEc,  for  some  v,W\,w2  £  Nc, 
■k  £  n  such  that  w\  7^  w2.   Then  v,w\,w2  £  {node(x)  :  igV\  {U}}  ■ 

(e)  If  uv<w  =>  node(a)  is  in  Ec,  for  some  uv<w  £  Cle  and  a  £  II,  then 
Uw,v  G  Cle  and  for  some  (3  £  inv(a)    uWiV  =>■  node(/3)  is  in  Ec- 

(f)  For  all  v  £  Nc  and  x  £  V ,  v  =>  node(x)  is  in  Ec  if  and  only  if  v  =s> 
node(7r)  is  in  Ec  for  some  n  C  x. 

Proof,  (a)  and  (b)  follow  immediately  from  (1.20)  and  (1.27),  together  with 
(C.5),  respectively. 

Concerning  (c),  let  v  be  a  node  in  Nc  such  that  v  =>■  nodeCx)  is  in  Ec- 
Lemma  3.2(a)  implies  that  v  is  put  either  in  Lq  or  in  L\  during  the  computation 
A'.  Hence  eventually  it  will  be  selected  during  the  Stabilization  Phase  at  line 
(S.6).  From  (S.10),  (S.ll)  and  (S.17),  (S.18),  it  follows  that  there  is  a  D-pair 
(T*,vtc)  such  that,  for  each  7  £  T"\m(v),  vj,  =j>  uv<w  and  uVtW  =>•  node(7)  are  in 
Ec,  for  some  node  w.  On  the  other  hand,  if  7  £  m(u),  then  the  same  conclusion 
follows  either  from  (1.19)  and  (1.24)  or  from  (PS. 4),  according  to  whether  v  is 
of  type  node(x),  ieV'\  {U},  or  v  is  the  element  selected  at  (PS.l)  during  the 
execution  of  a  call  to  the  procedure  Stabilize. 

Conversely,  if  for  some  node  w  and  some  place  w'  £  If  the  edge  uv<w  => 
node(7r*)  is  in  Ec,  then  v  =3-  uv>w  is  in  Es-  If  v  ^  uv^w  is  introduced  into 
Es  during  the  execution  of  (1.27),  then  v  =  node(x),u>  =  node(y),  for  some 
x,y  £V\  {U},  and  tt*  =  tt*-*  £  m(node(x))  (cf.  (1.23)).  Therefore,  by  (S.17), 
m(v)  C  T*,  and  in  particular  tt*  £  T*.  On  the  other  hand,  if  v  M-  uv>w  is 
introduced  during  the  execution  of  a  call  Stabilize(v,ir" ,  fi,v),  then  by  (S.10) 
and  (S.17)  n*  £  T' .  Finally,  if  v  =£  uv,w  is  introduced  during  the  execution 
of  a  call  Stabilize(w,X,n",i/),  then  m(v)  —  {?'},  so  that  when  eventually  v  is 
selected  at  (S.6),  (S.10)  and  (S.17)  will  imply  that  n*  £  V. 

Concerning  (d),  let  v,w\,w2  £  Nc,  tt  £  U  be  such  that  wi  ^  w2  and 
uv,Wl   =>  node(7r),  uViW2  =*■  node(7r)  are  in  Ec-    By  (c)  above  there  exists  a 
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.D-pair  (r,v7r)  such  that  tt  G  T  and  the  edge  v  =>■  node(v7r)  is  in  Ec-  If  either 
jr  E  T\  m(v)  or  7r  G  m(v),  where  the  value  m(v)  was  set  at  line  (PS. 8),  then 
inspection  of  the  FOR-loops  (S.ll)  and  (S.18),  as  well  as  of  the  procedure 
Stabilize,  yields  wi  =  W2,  a  contradiction.  Therefore  we  must  have  ir  G  Tn(v), 
where  the  value  m(v)  was  set  at  line  (1.23),  in  which  case  inspection  of  the 
FOR-loop  (1.24)  yields  the  conclusion. 

Next,  as  regards  (e),  let  uViW  =>  node(o)  be  in  Ec,  for  some  uVtW  G  Cle-  If 
uv,u>  was  introduced  into  Nc  at  (1.26),  then  v  =  node(z)  and  w  =  node(y),  for 
some  x,y  £V\  {U},  and  a  =  nx'y.  Therefore,  uw<v  =*•  node(7ry,r)  is  introduced 
in  Ec  during  the  execution  of  the  FOR-loop  (1.24),  and  it  is  enough  to  observe 
that  by  condition  C8(iii),  7ry'x  G  inv(/!rx,y)  =  int(a).  On  the  other  hand,  if 
uv<w  was  introduced  into  Nc  during  the  execution  of  a  call  Stabilize(v\,  \,n,v), 
with  a  S  {X,/j,},  then  uw,„  is  also  introduced  during  the  same  call  and  uWiV  => 
node(/3),  where  0  6  {A,/z}  \  {a}.  But  from  (S.12)  and  (S.19)  it  follows  that 
fi  £  inv(\),  which  by  condition  C4(i)  yields  A  G  int^/z).  Thus  in  any  case 
0  G  inv(a),  and  the  proof  of  (e)  is  completed. 

Finally,  concerning  (f)  it  is  enough  to  observe  that  as  soon  as  a  new  edge 
v  =>  node(7r)  is  introduced  in  Ec,  the  call  Propagate(v,n)  is  made,  with  the 
effect  that  edges  v  =s>  node(S),  for  all  E  C  II  such  that  jt  E  S,  are  introduced 
into  Ec-  This  completes  the  proof  of  the  lemma.  • 

Having  proved  that  the  graph  Gc  is  well-founded  and  quasi-extensional  and 
that  possesses  the  closure  properties  stated  in  the  preceding  lemma,  we  next 
define  a  suitable  representation  of  Gc  from  which  subsequently  an  injective 
model  of  P  will  be  extracted. 

Put 

Ai  =  {{3i,3t  +  l,3z'  +  2}}     ,     ■  =  1,2 (13) 

and  let  /  be  a  biunivoque  correspondence  from  S\  U  S2  U  •  •  •  U  Sn  into  {A{  :  i  = 
1,2,...}  (Si  U  S2  U  •  •  •  U  5„  is  the  set  of  nodes  in  Nc  \  {node(^o)}  with  no 
immediate  predecessors).  Extend  /  to  the  whole  Nc  by  putting  I(v)  —  0,  for 
all  v  G  Nc  \  (S\  U  £2  U  •  •  •  U  Sn).  Then  by  induction  on  height  (u),  for  all  v  we 
put: 

Repr(v)  =  {Repr(u)  :  u  =*>  v  is  in  Ec}  U  I(v) .  (14) 

The  map  Repr  is  a  representation  of  Gc  (in  the  sense  of  Definition  1.4),  as 
proved  in  the  following  lemma. 
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LEMMA  3.8  For  all  u,v  G  Nc 

(a)  if  Repr(u)  =  Repr(t>)  then  u  =  v; 

(b)  Repr(u)  €  Repr(v)  if  and  only  if  u  =>  v  is  in  Ec- 

Proof,  (a)  We  will  proceed  by  induction  on  M  =  max(height(u),  height(i>)).  If 
M  =  0  then  height(u)  =  height(u)  =  0,  i.e. 

u,  v  G  Si  U  S2  U  ■  •  •  U  5„  U  {node(9o)}- 

Therefore  by  (14)  Repr[u)  =  I{u)  and  Repr(v)  =  I(v).  Thus  by  the  injec- 
tivity  of  /  over  Si  U  52  U  •  ■  •  U  5„  U  {node(<7o)},  if  I(u)  -  I(v),  then  u  =  v. 
Concerning  the  inductive  step,  suppose  that  Repr[u)  =  Repr(v).  For  speci- 
ficity, assume  that  height(u)  >  0,  so  that  I(u)  =  0.  Let  wi  =>  u  be  in  Ec 
and  let  t  =  Repr(wi).  Notice  that  by  Lemma  3.5,  no  node  in  Nc  has  exactly 
three  immediate  predecessors.  Therefore,  by  induction,  \Repr(wi)\  /  3,  that  is 
Repr[wi)  G  Repr{v)  \  I(v)  (this  in  particular  shows  that  I{v)  =  0).  By  (14) 
there  must  exist  w-i  G  Nc  such  that  u>2  =>  v  is  in  Gc  and  Repr[w2)  =  Repr(wi). 
But  max(height(u;1),height(u»2))  <  max(height(u),height(u));  hence  by  induc- 
tion u>!  =  W2,  i.e.  u'i  =>■  v  is  in  Gc-  Likewise,  we  can  prove  that  if  wi  =>•  v 
is  in  Ec  then  so  is  u>i  =>  u.  Thus  by  quasi-extensionality  it  follows  u  =  v, 
completing  the  proof  of  (a). 

(b)  By  definition  (13),  if  u  =>  v  is  in  Ec,  then  Repr(u)  G  Repr(v).  Next  we 
prove  that  if  Repr(u)  G  Repr{v),  u,v  G  Nc,  then  the  edge  u  =>  v  is  in  Ec-  If 
height(u)  =  0,  then  Repr{u)  =  I(u),  and  by  (13)  \Repr(u)\  <  1.  On  the  other 
hand,  as  observed  above,  if  height(u)  /  0,  then  |Repr(u)|  ^  3.  In  any  case 
\Repr[u)\  /  3,  for  all  u  G  Nc-  Thus  Repr{u)  £  I(v)  and  by  (14)  there  must 
exist  w  such  that  iu  =>  u  is  in  £"c  and  Repr{u)  =  Repr(w).  But  by  (a)  above 
u  =  w,  hence  u  =*>  w  is  in  Ec,  proving  (b)  and  in  turn  completing  the  proof  of 
the  lemma.  • 

Next  we  state  some  properties  of  the  map  Repr. 

LEMMA  3.9      (a)  Repr(v')  =  {Repr(v)},  for  all  v'  G  Ch; 

(b)  Repr (node(qo))  =  0 

(c)  Repr(vL)  =  {0,  {Repr{v)}},  for  all  vL  G  Cl2; 

(d)  flepr(2)  =  {0,{0}}  =  2; 

(e)  Repr{vR)  =  {2,  {Repr(v)}},  for  all  vR  G  Cl3; 

(f)  \Repr[v)\  >  uj,  for  all  v  G  Cl4\  {node(g0)}; 
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(g)  \Repr(v)\  =  1,  for  all  c  G  Cl5; 

(h)  Repr(uViW)  =  [Repr(v),Repr(w)],  for  all  uv<1v  G  Cl6. 

Proof.  The  lemma  follows  from  Lemmas  3.5,  3.6,  3.8  and  the  definition  (14) 
of  Repr.  • 

An  immediate  consequence  of  the  preceding  lemma  is  the  following  result. 

COROLLARY  3.10  If[s,t]  G  Repr(u),  with  u  G  Nc,  then  there  exist  uv<w  G 
Cle  such  that  the  edge  uv<w  =>  u  is  in  Ec  and  Repr(uVtW)  =  [s,t]. 

For  each  variable  x  occurring  in  P,  put 

M*x  —  Repr[node(x)) .  (15) 

Also,  for  each  7r  6  II  we  put 

W=  i?epr(node(x)) .  (16) 

We  will  prove  below  that  M*  is  an  injective  model  of  the  conjunction  P. 
We  need  the  following  lemma. 

LEMMA  3.11      (a)   The  sets  W  are  nonempty  and  pairwise  disjoint. 

(b)  For  each  variable  x  occurring  in  P,  M'x  =     [J     W. 

7T(X)  =  1 

(c)  For  every  variable  x  G  V  \  {U},  M'x  G  7rx. 


(d)  For  all  variables  x,y  G  V  \  {[/},  [M*x,M'y]  G  tt^". 

(e)  If[s,  t]  G  57,  with  a  G  II,  then  for  some  f3  G  dom(a),  s  G  0. 

(f)  If  s  G  /?,   with  (3  G  II,   then  there  is  a  D-pair  (T,j3)  such  that  for  each 
7  G  T,  s  G  Z)om(7). 

(g)  If  [s,t]  G  a,  with  a  G  II,  then  for  some  (3  G  inv(a),  [t,s]  G  /?. 

(h)  If  [5,ii],[s,<2]    G    M'f,    for  some  variable  f   such   that   the   conjunct 
SINGLEVALUED(/)  is  in  P,  then  tx  =  t2. 

Proof,  (a)  By  Lemma  3.9(f),  T  =  Repr(node(-K))  is  infinite.  The  pairwise 
disjointness  of  sets  W,  n  G  II,  follows  from  Lemma  3.2(a),(b),  the  quasi- 
extensionahty  of  Gc  (cf.  Lemma  3.6)  and  Lemma  3.8. 

(b)  This  is  an  immediate  consequence  of  Lemma  3.7(f)  and  the  definition 
of  Repr  (cf.  (14)). 
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(c)  Lemma  3.7(a)  yields  that  for  each  x  G  V  \  {U}  the  edge  node(x)  =>■ 
node(7rx)  is  in  Ec-  Therefore 

M*x  =  Repr(node(x))  G  Repr(node(nx))  =  -kt  . 

(d)  Let  x,  y  G  V  \  {U}.  Then  by  Lemma  3.7(b)  and  Lemma  3.9(h)  we  have 

[M*x,M*y]  =  [i?epr(node(i)),iZepr(node(j/))]  G  F^\ 

(e)  Assume  that  [s,t]  G  57,  for  some  a  G  U.  Then  by  Corollary  3.10  there 
exists  uv<w  G  Cl&  such  that  uv<w  =>■  node(a)  is  in  Ec,  and  Repr(uVtW)  —  [s,t]. 
Let  (3  be  the  place  in  IT  such  that  v  =>  node(/?)  is  in  Ec-  By  Lemma  3.7(c)  there 
exists  a  D-pair  (T,  (3)  such  that  in  particular  a  G  T.  Hence  by  the  definition  itself 
of  a  D-pair  (cf.  Definition  2. 5(ii)),  (3  G  dom(a).  In  addition,  since  v  is  connected 
to  node(/i)  in  Gc,  it  follows  that  Repr(v)  G  (3.  But  [,s,t]  =  Repr(uViW)  = 
[i?epr(v),  fieprfu.')]  (cf.  Lemma  3.9(h)),  hence  5  G  ~f3~  with  (3  G  dom(a),  proving 
(e). 

(f)  Next,  suppose  that  s  G  (3,  for  some  place  (3  G  II.  Hence  5  =  Repr(v) 
with  t>  =►  node(/?)  in  Ec-  Again  by  Lemma  3.7(c)  there  exists  a  D-pair  (T,/?) 
such  that  for  each  7  there  is  a  node  w-,  for  which  uV)U,7  =>  node(7)  is  in  Ec- 
Hence,  by  Lemma  3.9(h),  [5,  Repr(w-y)}  G  7,  which  in  turn  implies  s  G  Dom(7). 

(g)  Let  [s,  t]  G  a,  with  a£ll.  Following  the  proof  of  (e)  above,  we  have  that 
there  is  a  node  uv<w  in  Cl&  such  that  uv<w  =>  node(a)  is  in  Ec  and  Repr(uVtW)  = 
[s,t]  (which  by  Lemma  3.9(h)  implies  s  =  Repr(v)  and  t  =  Repr(w)).  From 
Lemma  3.7(e),  it  follows  that  uw>v  =>  node(/?)  is  in  Ec  for  some  (3  G  inv(a). 
Hence  [t,s]  =  [Repr(w),  Repr(v)]  G  /?,  with  /?  G  mt^o). 

(h)  Finally,  let  [5,^],  [s,t2]  G  M*/,  where  the  clause  SINGLEVALUED(/) 
is  in  P.  Let  [s,*i]  G  o^  and  [s,t2]  €  a2,  with  a!,a2  C  /.  Corollary  3.10  and 
Lemma  3.8(a)  give  that  [s,ti]  =  Repr(uVtWl)  and  [s,t2]  =  Repr{uv<W2),  for  some 
nodes  v,w\,w2  such  that  uv<Wi  =>  node^)  and  uVity2  =>  node(a2)  are  in  Ec- 
Hence  by  Lemma  3.7(c),  there  is  a  .D-pair  (T,vtt)  such  that  ai,a2  G  T  and 
t?  =>•  node(1,7r)  is  in  Ec-  But  then  the  definition  itself  of  a  D-pair  (cf.  Definition 
2.5(iii))  implies  a\  =  a2,  which  by  Lemma  3.7(d)  in  turn  gives  v,  Wi,w2  G 
{node(x)  :  x  G  V  \  {U}}.  Let  v  =  node(i),  w\  =  node(y),  and  u>2  =  node(z). 
Then,  by  Lemma  3.7(b),  7rx'v  =  a1  =  a2  =  7rr,z,  which,  by  condition  Cll, 
yields  y  =  z.  Hence  t\  =  Repr(wi)  =  Repr(node(y))  -  Repr{w2)  =  t2,  which 
concludes  the  proof  of  (h)  and  in  turn  of  the  lemma.  • 

Now  we  are  ready  to  prove  that  the  assignment  M *  is  an  injective  model  of 
all  conjuncts  in  P. 
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As  concerns  the  injectivity,  notice  that  by  condition  CI  the  map  x  •-►  {it  G 
II  :  w  C  x}  is  one-one.  Thus  Lemma  3.11(a),(b)  yields  that  M*x  ^  M*y  for 
any  two  distinct  variables  x  and  y  in  P,  i.e.  M*  is  injective. 

Next  we  prove  that  all  conjuncts  of  P  are  satisfied  by  the  assignment  M*. 

Let  x  -  ylizbe'mP.  Then  in  view  of  Lemma  3. 11(a), (b)  and  the  properties 
of  places  (cf.  Definition  2.2),  we  have 

M*x=     \J    W=      (J     x  =     |J    FU     [J     x  =  M*yUM*2, 

*(x)  =  l  7r(!/)=l  ir(y)=l  sr(*)=l 

V,r(z)=l 

i.e.  x  =  y  U  z  is  modeled  correctly  by  M*. 
Next,  let  x  =  j/  \  z  be  in  P.  Then  we  have 

M'x=     U     r=      U     r  =     U     *\  (     U     r)  =M'y\M'z, 

jr(x)  =  l  Jr(y)=l  Jr(j/)  =  1  \ir(«)=l      / 

Air(z)  =  0 

which  shows  that  the  conjunct  x  =  y\  z  is  also  satisfied  by  M* . 

If  x  G  y  (resp.  PAIR JN(x,  ?/,/))  occurs  in  P,  then  since  7rx  (resp.  xx'y) 
is  a  place  at  the  variable  x  (resp.  at  the  pair  [x,j/]),  then  (cf.  Definition  2.3 
(resp.  Definition  2.4))  7rx(?/)  =  1  (resp.  nx'y(f)  =  1).  Therefore  Lemma  3.11(c) 
(resp.  Lemma  3.11(d))  yields  M*x  G  tt*  C  M*y,  i.e.  M*x  £  M'y  (resp. 
[M*x,  M*y]  e  M*f).  Hence  hterals  of  type  x  e  y  (resp.  PAIRJN(x,y,/))  are 
correctly  modeled  by  M* . 

Next,  let  d  =  Df  be  a  clause  in  P.  In  this  case  we  need  to  verify  that 
M*d  —  Dom(M*/),  which  we  do  as  follows.  Let  s  €  M *d,  and  in  particular  let 
P  C  d  be  such  that  s  G  /?.  From  Lemma  3.11(f)  it  follows  that  there  is  a  .D-pair 
(r,/3)  such  that  for  each  7  €  T,  s  G  Dom(7).  Also,  from  the  definition  itself 
of  a  .D-pair  (cf.  Definition  2.5(iv)),  since  /3(d)  =  1,  there  is  a  70  G  T  such  that 
70(/)  =  1,  where  the  clause  d  =  Df  is  in  P.  Hence  s  G  Dom(70)  C  Dom(M*/), 
which  in  turn  implies  M*d  C  Dom(A/*/).  To  prove  the  converse  inclusion,  let 
s  G  Dom(M*/).  Thus  for  some  set  f,  [s,t]  G  M*f.  Let  a  C  /  such  that 
[s,t]  G  a.  Lemma  3.11(e)  yields  the  existence  of  a  place  /3  G  dom(a)  such 
that  s  G  (3.  But  then  from  condition  C3(ii),  we  have  /3(d)  —  1,  which  implies 
s  G  M'd.  Thus  Dom(M*/)  C  Af*d,  and  in  conclusion  M'd  =  Dom(M*/), 
proving  that  cluases  d  =  Df  are  correctly  modeled  too. 

As  regards  clauses  of  type  INV,  let  INV(/,  g)  be  one  such.  Assume  that 
[s,t]  G  M*f  and  let  a  C  /  be  such  that  [s,t]  G  a.  Then,  from  Lemma  3.11(g), 
there  exists  a  place  /?  G  inv(a)  such  that  [s,t]  G  (3.  To  prove  that  [t,s]  G  A/*5, 
it  only  remains  to  show  that  /3(g)  =  1.    But  this  follows  immediately  from 


30 


condition  C4(iii).  Symmetrically  one  can  prove  that  if  [s,t]  €  M*g,  then  [t,s]  € 
M*f.  Hence  M*f  is  an  inverse  of  M'g,  in  the  sense  specified  at  the  beginning 
of  Section  1. 

Finally,  from  Lemma  3.11(h)  it  follows  that  M*  satisfies  all  conjuncts  in  P 
of  the  form  SINGLEVALUED(/). 

This  concludes  the  proof  that  M*  is  an  injective  model  of  P.  Thus  we  have 

LEMMA  3.12  The  conditions  stated  in  Lemma  2.7,  necessary  for  the  injective 
satisfiability  of  a  conjunction  P  of  simple  positive  clauses  of  type  x  =  y  U  z, 
x  =  y\z,  x  ey,  PAIRJN(i,y,/),  d  =  Df,  ISV(f,g),  SINGLEVALUED(/). 
containing  clauses  (3),  are  also  sufficient. 

In  view  of  Lemma  1.1  and  by  observing  that  the  conditions  stated  in  Lemma 
2.7  are  effectively  verifiable  we  have 

THEOREM  3.13  The  class  C  of  propositional  combinations  of  set-theoretic 
clauses  of  the  form  (1)  has  a  solvable  satisfibility  problem,  and  Lemma  3.12 
suggests  a  specific  decision  procedure  for  C  . 
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